{"id":71,"date":"2009-07-08T02:29:00","date_gmt":"2009-07-08T07:29:00","guid":{"rendered":"http:\/\/www.rajatswarup.com\/blog\/?p=71"},"modified":"2010-02-10T23:19:00","modified_gmt":"2010-02-11T04:19:00","slug":"bit-of-forensics","status":"publish","type":"post","link":"https:\/\/www.rajatswarup.com\/blog\/2009\/07\/08\/bit-of-forensics\/","title":{"rendered":"Bit of Forensics"},"content":{"rendered":"<p>I like using <a href=\"http:\/\/dcfldd.sourceforge.net\/\">dcfldd<\/a> for creating the raw images, because it shows a nice status&#8230;it&#8217;s interesting to see progress.<\/p>\n<p><span style=\"font-family:courier new;\">dcfldd if=\/dev\/sda of=\/mnt\/sdb1\/filename.dd hash=md5 md5log=hashfile.md5 conv=noerror,sync bs=4096<\/span><\/p>\n<p>It&#8217;s the &#8216;bs&#8217; (stands for bytesize) that makes the difference (&#8230;always does doesn&#8217;t it ;-).<\/p>\n<p><a href=\"http:\/\/www.sleuthkit.org\/autopsy\/\">Autopsy<\/a> &#8211; The forensics browser always uses the ~\/.autopsy as the base directory for storing the files from the cases.  The following command is helpful in changing the directory in which the cases should be stored:<\/p>\n<p>.\/autopsy -d \/mountpoint\/dirname<\/p>\n<p>The <a href=\"http:\/\/www.sno.phy.queensu.ca\/~phil\/exiftool\/\">exiftool<\/a> is a cool application that can read meta-information to determine the different types of files.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I like using dcfldd for creating the raw images, because it shows a nice status&#8230;it&#8217;s interesting to see progress. dcfldd if=\/dev\/sda of=\/mnt\/sdb1\/filename.dd hash=md5 md5log=hashfile.md5 conv=noerror,sync bs=4096 It&#8217;s the &#8216;bs&#8217; (stands for bytesize) that makes the difference (&#8230;always does doesn&#8217;t it ;-). Autopsy &#8211; The forensics browser always uses the ~\/.autopsy as the base directory for [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[197],"tags":[225,226],"class_list":["post-71","post","type-post","status-publish","format-standard","hentry","category-tools","tag-dd","tag-forensics"],"_links":{"self":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/71","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/comments?post=71"}],"version-history":[{"count":1,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/71\/revisions"}],"predecessor-version":[{"id":96,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/posts\/71\/revisions\/96"}],"wp:attachment":[{"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/media?parent=71"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/categories?post=71"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rajatswarup.com\/blog\/wp-json\/wp\/v2\/tags?post=71"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}